Cloud

PCI Security Standards Council Releases New Information Supplement on Cloud Computing

In February the PCI Security Standards Council (the “Council”) released a new information supplement related to the application of the Payment Card Industry Data Security Standards (“PCI DSS”) requirements in the Cloud. The goal of the information supplement is to assist Merchants and Cloud Service Providers (“CSP”) maintain PCI DSS compliant environments and also to guide the Qualified Security Assessors (“QSA”) that are tasked with performing the validation assessments.

Read More

PCI Security Standards Council Releases New Information Supplement on Cloud Computing

  By: Gene Geiger, Partner of A-lign Security and Compliance Services In February the PCI Security Standards Council (the “Council”) released a new information supplement related to the application of the Payment Card Industry Data Security Standards (“PCI DSS”) requirements in the Cloud. The goal of the information supplement is to assist Merchants and Cloud Service Providers (“CSP”) maintain PCI DSS compliant environments and also to guide the Qualified Security Assessors (“QSA”) that are tasked with performing the validation assessments.

Read More

Which Cloud Holds My Data?

One of the discussions brought up at this year’s AICPA Service Organization Controls (SOC) School was the issue of cloud computing and the effects it has on industries that are subjected to a SOC 1 or SOC 2 audit.  When it comes to cloud computing, subservice organizations may be involved in providing the operations that a service organization might perform.  This relationship is where the service organization and user entity could find themselves at risk. As experienced service auditors, we are able to look at the risks involved with the subservice organizations footprint and determine the best course of action for our service organization, i.e. our clients.

Read More

A-LIGN Security and Compliance Services To Present Webinar, “Reducing Audit Impact by A-LIGNing PCI DSS, SOC 1 & 2 Requirements”

Gene Geiger, Director at A-LIGN Security and Compliance Services will present a webinar to share practical recommendations for improving overall audit efficiency which will lead to reduced audit impact, audit costs and audit fatigue. The presentation will take place on April 18, 2012 from 1-2 pm EST. All individuals/organizations are…

Read More

Evaluating Managed Service Providers’ PCI DSS Compliance

You need a managed service provider to outsource information technology services for your organization, but since you are in the payment card industry, they will need to be PCI DSS compliant. So you Google the service you need, compile a list of possible vendors, review their website and see that critical PCI DSS logo, so you are good-to-go, right? Maybe. The PCI Data Security Standard (“DSS”) is a set of information security standards published by the PCI Security Standards Council (“SSC”) for companies that store, process or transmit cardholder data. The PCI DSS includes twelve requirements that companies are required to implement in order to be PCI DSS compliant. When considering PCI DSS compliant service providers it is critical to understand which of their service offerings have been validated as PCI DSS compliant and which requirements were included in the assessment. If I had a nickel for every time a client said “they are PCI DSS so we are OK” I could buy a gallon of gas.

Read More

Cloud Computing and SOC 2

As more businesses begin to shift their interests to Cloud Computing, there are concerns regarding security-related risks.  First, let’s discuss the “Cloud”. Cloud computing is a new way of delivering computing resources, not a new technology.  Cloud computing providers give end users the ability to access applications via the internet.  As Cloud computing is achieving increased popularity, security concerns have become paramount with the adoption of this new computing model.  The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of this innovative deployment model differ widely from those of traditional architectures.

Read More

SSAE 16 Benefits to Service Organizations

Service organizations receive significant value from having an SSAE 16 examination performed.  An SSAE 16 report with an unqualified opinion issued by an independent CPA firm differentiates your company from your peers by demonstrating that your company has achieved a defined set of control objectives relevant to your specific industry, your controls are effectively designed, and, in the case of a Type 2 report, that the controls are operating effectively over a period of time.

Read More

SOC 2 and Subservice Organizations

SOC 2 AND SUBSERVICE ORGANIZATIONS After a review of the new SOC 2 guide, Reporting on Controls at a Service Organization, I noticed that the responsibilities of the service auditor, service organization and subservice organization all seem to have increased when it comes to how subservice organizations may be considered / treated under the new standard.  Trying to get all three parties on the same page is a daunting feat in itself and I wanted to take a moment to share some of the highlights. The inclusive and carve-out method can still be used for subservice organizations just as in SOC 1.

Read More

SSAE 16 REPLACING SAS 70

ADVANTAGE TO THE COLLECTIONS INDUSTRY – AGENCIES, ATTORNEYS, VENDORS, CREDITORS AND ASSET BUYERS The AICPA’s Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization was issued in April 2010.  As of June 15, 2011, the SSAE 16 effectively replaces the long standing SAS 70 as the U.S. standard for reporting on a service organization's internal controls. SSAE 16 is also referred to as Service Organization Control (SOC) Reporting 1.  The focus of SSAE 16 is on controls at a service organization likely to be relevant to user entities’ internal control over financial reporting.  The SAS 70 has been used as the de facto standard for the collections industry for close to 20 years now.  For service organizations that currently have a SAS 70 service examination (“SAS 70 audit”) performed, changes will be required to effectively report under the new SSAE 16 standard.

Read More